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All Your Codes Belong To Me! ! 



Keith Howell 



Electronics Engineer in the British Army 

Network Engineer and Security Engineer for UUNET Technologies 

Professional Locksmith and Access Control Technician 

Security Engineer for Assurance Data Inc 

Member of the local NoVaHackers group 
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All Your Codes Belong To Me!! 

A voyage into the secrets of alarm panels and a whole 
new world of "security by obscurity" 



I also hope to show you how it is not too difficult for 
people in computer security to adapt their skills and 
explore the field of physical security 
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Starting the Investigation 

Alarm system uses a 4 wire bus between the panel and 
additional devices such as keypads: 



Ground 
Power 
Data In 



black wire 




(green wire) 



Data Out (yellow wire) 
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First Look At The Bus 



How? 



Unknown Voltage 
Unknown Protocol 



Oscilloscope 



High Impedance 
Voltage Isolated 
Simple Measuments 
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First Look At The Bus 



Chi: 2 V/div Time Base: 40 ms/div 
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What is the bus? 



RS-485 



Does not use differential signaling 
Wrong voltages (-7v to +12v) 
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What is the bus? 



RS-422 



Does not use differential signaling 
Wrong voltages (-6v to +6v) 
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What is the bus? 



RS-232 

There is no negative voltage on the data lines 
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What is the bus? 



Protocol information and images from: 



http://en.wikipedia.org/wiki/Rs485 



http://en.wikipedia.org/wiki/Rs422 



http://en.wikipedia.org/wiki/Rs232 
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What is the bus? 



What now? 



Search the internet of course! ! 



http://www.google.com/patentsAJS6868493 
System and method for panel linking in a security system 



Not much use on the protocol, but some interesting block 
diagrams on the contents of data packets 
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What is the bus? 



More reading of patents for clues 



In patents US20090232307 and US20090083828, there 
is the same diagram with the wording: 



ECP bus (proprietary protocol) RS232 like protocol 
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What Next? 



RS-232 spec is rather flexible in the voltage needed 
1 2v tolerant on the I/P pins 
Lets try a PC Serial interface! 



miniterm.py 

Simple python terminal program included in the 2.6 
package 



HiLft'-^* 4 ^"- 




Keith Howell - Shmoocon 2012 



Using miniterm.py 



Usage: miniterm.py [options] [port [baudrate]] 

Miniterm - A simple terminal program for the serial port 



Options : 

-h, — help 



show this help message and exit 



-p PORT, — port=PORT port, a number or a device name 
-b BAUDRATE, — baud=BAUDRATE 



— parity=PARITY 



set baud rate, default 9600 

set parity, one of [N, E, 0, S, M] , default=N 
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Using miniterm.py 



Physical wiring 

■ Pin 3 - Receive 

■ Pin 5 - Ground 




kch:-$ miniterm.py /dev/ttyUSBO 4800 
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Using miniterm.py 



Live Demo ! ! ! 





x 1 


File Edit View Search Terminal Help 


kch:$ miniterm.py -p /dev/ttyUSBQ -b 480G --parity=E S 


--- Miniterm on /dev/ttyUSBQ: 48GG,8,E, 1 


--- Quit: Ctrl+] | Menu: Ctrl+T | Help: Ctrl+T followed by Ctrl+H --- 


&6[|! : + : **DISABMED**** BEADY TO ABM 


&6[||YSTEM 1 STATUS B W66[ff] : + :: + :: + : DI 


SABMED**** BEADY TO ABM 


% % [|fY ST EM 1 STATUS B vt% % [||]***DI SABMED*** 


* BEADY TO ABM 


66[|fYSTEM 1 STATUS B W$ | [||***DI SABMED**** BEADY 


TO ABM 


6 6 [HY ST EM 1 STATUS B Ml % [|f]***DI SABMED**** BEADY TO ABM 

1 
Ti [|f]y ST EM 1 STATUS B W& % [H***DI SABMED**** BEADY TO ABM 


&6[HYSTEM 


1 STATUS B W 


exit 


kch:$ | 
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Investigating Further 



So what is the next step? 



Logic Analyser 
■ only designed for 5 v max level! 




(don't let t 



blue smoke moster 



ut!!) 



Solution - RS232 level shifter 
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Investigating Further 



10 



o- 



o 



RS-ln 




VCC 



GND 



TX 



RX 



NOTE: Reverse insertion of Polarized Capacitor 
TX/RX is in relation to the board 
TX will connect to the uC RX Pin 



VCC VCC 
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<5 >R7 
10 ?220 
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Header 4 



TiLlc 



RS232 Shifter v2 



Size Numhcr 

A 



Spark Fun Electronics 



File: 



3/6G<M)rj 

C:Kilobal\..\RS23 2 Shiltcr v2.Sch 



SbceL ol' 
Drawn By: 



http://www.sparkfun.com 
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Investigating Further 



+ 



# SERIAL Adapter schematics by Sean Mathews @ Nu Tech Software Solutions 
# 

# RS232 CONNECTOR ALARM PANEL 
#+---o 1(CD] + o - i 

# | +-o 2[RXD) | + o + vcc 12v 

# I | 3[TXD) o + + o DO YELLOW 

# +---0 4[DTR) | || | o DI GREEN 

# | | 5[GND) 0---+ I R2> I | 

# +---0 6[DSR) I < I +---+ 

# I 7(RTS) III I 

# +-o 8[CTS) I I + + I 

* I stra) III II 

# I III II 



+ -■ 



Qll/ 



021/ 



+ — + 



+--/V/-- 



# + 

# 

# R2-R3 10k 

# Q1-Q2 2n3904 



http://www.diysecurityforum.com 
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Investigating Further 
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Investigating Further 
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Investigating Further 

Logic Analyzer 




http://www.saleae.com/Logic 
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Investigating Further 



Live demo time again 



aleae Logic 1.1.15 - [Connected] - [1 MHz, 5 M Samples] 



5 M Samples ▼ @ 1 MHz 



+60 ms 




srx- 



* />T 



. □ x 
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Investigating Further 

Serial port shifter designed for RX and TX interface to 
a microcontroller 

only 'reads' one line at a time 

to monitor both lines needs two level shifters 
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Investigating Further 



TOP VIEW 
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CAPACITANCE (nF} 


DEVICE C1 C2 03 04 


C5 


MAX220 0.047 0.33 0.33 0.-33 


0.33 


MAX232 1.0 1J0 1J0 10 


10 


MAX232A 0.1 0.1 0.1 


0.1 



Diagrams continued in the Full data sheet 
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MAX232 Circuit 



PC Serial 
Port _ 



B<= 

'9& 



2 RX 
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4 DTR 
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11 



14 



13 



C3 
1uF 



16 



Vcc 



C1 + 



V+ 



ci- MAX232 v- 

C2+ 



■5 



C2- 
Plout 




400K 
T1in 



+S 



<5400K 
1 T2in 



R1in 



5K 




R1out 



R2in 



5K 
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MAX232 very common 



capacitors easy to get 



simple to solder up 
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MAX232 Circuit 
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What Was That? 




'H-; 



Keith Howell - Shmoocon 2012 



Analyzing the Bus Traffic 

Demonstration. 

Capture of both data lines using the max232 
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Analyzing the Bus Traffic 

Decoding still is not 100%. Message should be 

****DISSARMED**** 

Missing '*' at the start 



^(JbU ms 



+3 ms +4 ms +5 ms + 
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More Research on Bus Traffic 



More research needed 
back to the internet 



article from "Circuit Cellar" magazine issue 201 



Reverse-Engineered ECP Bus 



http://www.circuitcellar.com 
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More Research on Bus Traffic 



Author Miguel Sanchez details: 
Problems with protocol violations 
Timing issues trying to send data from perl 
Using a RCM3710 Microprocessor Core 



http://www.rabbitsemiconductor.com 
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More Research on Bus Traffic 



While doing more research: 



http://www.diy securityforum.com/index.php ?topic= 1 0480 



Someone else has solved the problem! 
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More Research on Bus Traffic 

NuTech Software Solutions 

AD2USB Adapter 

PIC microcontroller with ECP and USB interfaces 
- Virtual Keypad software 

Standard FTDI usb chip used (should be Linux friendly) 
No more converter, just connect and go ! 



http://www.nutech.eom/online-store/4.htm 
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The AD2USB Adapter 
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The Virtual Keypad 




F1 


loFF 


2 AWAY | [3 STAY 


F2 


4 MAX 


1 1 
5 TEST 6 BYPASS 


F3 


7lNSTANT 8 CODeJ [9 CHIME 


F4 


* READY # 
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What Can It Do? 



Full interface to the ECP Bus 

Interfaces correctly with the TX and RX data 

Uses standard ascii text to send data 

Converts keystrokes to data transmission packet 

A simple python program can do the rest! 
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What Can It Do? 



Shmoocon 20 



File Edit View Search Jerminal Help 



Starting brute force of panel 

PIN = 1010 ==[ Part.l AO * PI User 04 Auth=3 ] 

I PIN = 1111 ==[ Part.l AO * PI User 03 Auth=5 ] 

PIN = 1234 ==[ Part.l AO * PI User 02 Auth=lG. ] 

PIN = 1337 ==[ Part.l AO * PI User 05 Auth=l .] 
1399 21:01:30 100.0% completed 
Reached PINSTOP = 1399 



(Operator A Code] 
(Operator C Code] 
[Master Code!, 
(Master Code) 



Li x 



13 



Elapsed = 1836.31077814 
Count = 399 
Rate = 0.21728348205 
kch:$ [ 



399 in 1836 sec = 30 min realtime 



9999 run takes over 13 hours! 



•H-, 
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Some "Gotcha's"! 

■ different panels have different features 

■ could trigger "duress" codes! 

■ Police/Fire/EMS might show up if you try this on a 
live panel ! 

■ could be logged by the panel (if configured_ - but I 
was not blocked on the panel I tried it on 

The technique I used on the panel I have also worked 
when the panel was armed ! ! ! 
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There Must Be A Better Way? 

How about sniffing the wire? 

Yes. Not with the stock firmware though. 

Many thanks to Sean Mathews the designer of the 
AD2USB for a debug enabled version of the firmware 

I wrote a keystroke sniffing module for the virtual 
keypad 
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Demonstration Time 
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Other Devices 



How did any other devices communicate? 

Was this also in plain text? 

Turns out - No. Not quite. 

The data sent to the panel uses bit-fields packed into 
bytes 

This is the same type of data I interpret to read the 
keystrokes 
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Data Communications 



Keypad sending 1234 
(fe) (cO) (02) (01) (3d) 
(fe) (00) (02) (02) (fc) 
(fe) (40) (02) (03) (bb) 
(fe)(80)(02)(04)(7a) 
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Data Communications 



Header 

Number of bytes 
Data byte(s) 
Checksum 
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Unknown Data! 



Data appears in my logs when I am not doing 
anything ! 



RF receiver is picking up *any* device in range 



Most sensors are 'supervised' and send out regular 
"check-in" messages to the panel 
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Unknown Data! 



(fb)(02)(51)(82)(66)(7f) 



!RFX:0157311,80 
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Unknown Data 



RFX:0000264 
RFX:0008248 
RFX:0027768 
RFX:0039424 
RFX:0039616 
RFX:0040192 
RFX:0040256 
RFX:0040320 
RFX:0040384 
RFX:0049290 
RFX:0067584 



RFX:0067600 
RFX:0067616 
RFX:0067632 
RFX:0133136 
RFX:0133379 
RFX:0157311 
RFX:0251840 
RFX:0267813 
RFX:0272005 
RFX:0288708 
RFX:0393296 
RFX:05726: 



Keith Howell - Shmoocon 2012 



Where is it coming from? 

Data is sent by the RF receiver 

Only 0027768 is my sensor 

Must be other devices in the area 

I guess my neighbors use compatible devices ! ! 
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Some of it is me! 



1/25/2012 9:02:32 PM IDBG: ( f b) ( 02 ) ( 51 ) ( 80 ) ( 6c ) ( 78 ) 

1/25/2012 9:02:32 PM !RFX : 0027768 , aO M 

1/25/2012 9:02:32 PM IDBG: (aO ) (a9 ) ( fb) ( 02 ) (54 ) ( 82 ) ( 09 ) ( 03 ) 

1/25/2012 9:02:32 PM !RFX : 0133379 , 00 

1/25/2012 9:02:33 PM IDBG: ( 00 ) ( lc ) ( f b) ( 02 ) ( 51 ) ( 86 ) ( 00 ) ( 50 ) 

1/25/2012 9:02:33 PM !RFX : 0393296 , 20 

1/25/2012 9:02:36 PM IDBG: ( 20 ) (b7 ) 

1/25/2012 9:02:36 PM I DBG: ( f b) ( 02 ) ( 54 ) ( 80 ) ( 6c ) ( 78 ) 

1/25/2012 9:02:36 PM IRFX : 0027768 , 80 

1/25/2012 9:02:37 PM IDBG: ( 80 ) (c6 ) ( fb) ( 02 ) (51 ) ( 82 ) ( 08 ) ( 10 ) 

1/25/2012 9:02:37 PM IRFX : 0133136 , lc 

1/25/2012 9:02:39 PM I DBG: ( lc ) ( f 7 ) 
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Activity Around The Con 



0000270 
0002716 
0012112 
0012608 
0020454 
0022118 
0023788 
0025194 
0027710 
0027768 



RFX 
RFX 
RFX 
RFX 
RFX 
RFX 
RFX 
RFX 
RFX 
RFX 



0029252 
0063944 
0112424 
0128563 
0134582 
0349026 
0363444 
0400730 
0478161 
0483563 



RFX 
RFX 
RFX 
RFX 
RFX 
RFX 
RFX 
RFX 



0527492 
0638358 
0819607 
0922035 
1022140 
1026268 
1040738 
1040760 
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Tracking a Sensor 



1/28/2012 3:37:47 PM !RFX: 0819607 , 80 

1/28/2012 3:37:49 PM !RFX: 0819607 , 00 

1/28/2012 3:40:23 PM !RFX: 0819607 , 80 

1/28/2012 3:40:25 PM !RFX: 0819607 , 00 

1/28/2012 3:56:45 PM !RFX: 0819607 , 80 

1/28/2012 3:56:47 PM !RFX: 0819607 , 00 



[computer off-line, no logging] 



1/28/2012 7:38:15 PM !RFX: 0819607 , 04 

1/28/2012 7:51:18 PM !RFX: 0819607 , 80 

1/28/2012 7:51:19 PM !RFX: 0819607 , 00 

1/28/2012 9:00:54 PM !RFX: 0819607 , 04 



Loop 1 triggered 
Loop 1 reset 
Loop 1 triggered 
Loop 1 reset 
Loop 1 triggered 
Loop 1 reset 



Loop 1 supervisor check 
Loop 1 triggered 
Loop 1 reset 
Loop 1 supervisor check 
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What Good Is All This? 



Offense 



Intelligence gathering 

Covert entry 
Defense & Auditing 
■ Checking for bad PIN numbers 

Logging alarm panel to internal servers 

Activity tracking without alarms 
Any Suggestions? 
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Work in Progress 



Currently working on 



Decoding header in more detail 
Analyzing more of the RF messages 
Additional RF device testing 
What can be learned without physical access? 



Assumptions... 



Transmitter is sending out panel status 
Wireless keypads transmit keystrokes 
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Thank You To 




ttp://diysecurityforums 
ttp ://www. adafru it. < 



Any Questions? 
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